{"description": "Make sure that the system is configured to limit the maximal rate for sending\nduplicate acknowledgments in response to incoming TCP packets that are for\nan existing connection but that are invalid due to any of these reasons:\n\n(a) out-of-window sequence number, (b) out-of-window acknowledgment number,\nor (c) PAWS (Protection Against Wrapped Sequence numbers) check failure\nThis measure protects against or limits effects of DoS attacks against the system.\nSet the system to implement rate-limiting measures by adding the following line to\n<tt>/etc/sysctl.conf</tt> or a configuration file in the <tt>/etc/sysctl.d/</tt> directory\n(or modify the line to have the required value):\n<pre>net.ipv4.tcp_invalid_ratelimit = <sub idref=\"sysctl_net_ipv4_tcp_invalid_ratelimit_value\" /></pre>\nIssue the following command to make the changes take effect:\n<pre># sysctl --system</pre>", "rationale": "Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When\nthis occurs, the organization either cannot accomplish its mission or must\noperate at degraded capacity.\n<br /><br />\nThis can help mitigate simple \u201cack loop\u201d DoS attacks, wherein a buggy or\nmalicious middlebox or man-in-the-middle can rewrite TCP header fields in\nmanner that causes each endpoint to think that the other is sending invalid\nTCP segments, thus causing each side to send an unterminating stream of\nduplicate acknowledgments for invalid segments.", "severity": "medium", "references": {"nerc-cip": ["CIP-007-3 R4", "CIP-007-3 R4.1", "CIP-007-3 R4.2", "CIP-007-3 R5.1"], "nist": ["SC-5"], "srg": ["SRG-OS-000420-GPOS-00186"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "rate limiting of duplicate TCP acknowledgments is not configured", "ocil": "To verify that the operating system protects against or limits the effects of DoS\nattacks by ensuring implementation of rate-limiting measures\non impacted network interfaces, run the following command:\n<pre># grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/*</pre>\nThe command should output the following line:\n<pre>/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = <sub idref=\"sysctl_net_ipv4_tcp_invalid_ratelimit_value\" /></pre>\nThe file where the line has been found can differ, but it must be either <tt>/etc/sysctl.conf</tt>\nor a file located under the <tt>/etc/sysctl.d/</tt> directory.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to limit the maximal rate for sending duplicate acknowledgments.\n\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nnet.ipv4.tcp_invalid_ratelimit = <sub idref=\"sysctl_net_ipv4_tcp_invalid_ratelimit_value\" />\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.", "vuldiscussion": "DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nThis requirement addresses the configuration of Ubuntu 22.04 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.", "checktext": "Verify \"nftables\" is configured to allow rate limits on any connection to the system with the following command:\n\n$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf\n\n# FirewallBackend\nFirewallBackend=nftables\n\nIf the \"nftables\" is not set as the \"FirewallBackend\" default, this is a finding.", "fixtext": "Configure \"nftables\" to be the default \"firewallbackend\" for \"firewalld\" by adding or editing the following line in \"etc/firewalld/firewalld.conf\":\n\nFirewallBackend=nftables\n\nEstablish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces."}}, "platform": null, "platforms": [], "sce_metadata": {"check-import": "stdout", "check-export": ["sysctl_net_ipv4_tcp_invalid_ratelimit_value=xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_invalid_ratelimit_value"], "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_net_ipv4_tcp_invalid_ratelimit.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_net_ipv4_tcp_invalid_ratelimit.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "net.ipv4.tcp_invalid_ratelimit", "datatype": "int"}, "backends": {}}}